1.GENERAL PROVISIONS

1.1.This privacy policy of the Internet Shop serves for information purposes which means that it is not a source of obligations for Service Recipients or Clients of the Internet Shop. First of all, the privacy policy contains the principles related to the processing of personal data by the Controller in the Internet Shop, including bases, purposes and the scope of personal data processing and rights of data subjects, as well as the information in the scope of using cookies and analytical tools in the Internet Shop.

1.2.The controller of personal data gathered by the Internet Shop is Mateusz Lasota conducting business activity under the business name of ISO TRADE MATEUSZ LASOTA entered in the Central Registration and Information on Business of the Republic of Poland maintained by the minister of economy, holding address of the business office and address for deliveries: Rzeczypospolitej Street 116, 59-220 Legnica, Taxpayer Identification Number (NIP) 6912221018, business statistical number (REGON) 020206884, e-mail: hurt@maxy.pl and the telephone number: 666002003 – hereinafter referred to as the „Controller” and being at the same time the Service Provider of the Internet Shop and the Seller.

1.3.Personal data in the Internet Shop are processed by the Controller in accordance with the applicable laws, especially according to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, (general data protection regulation) – hereinafter referred to as “GDPR” or GDPR “Regulation”. The official text of GDPR can be found here:http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679

1.4. The use of and purchase in the Internet Shop is voluntary. Similarly, submission of personal data by the Service Recipient or the Client of the Internet Shop is voluntary with the reservation of two exceptions: (1) conclusion of agreements with the Controller - failure to provide such data in cases and in the scope provided for on the website of the Internet Shop, in the Regulations of the Internet Shop and in this privacy policy required for the conclusion and performance of the Sales Agreement or an agreement for the Electronic Services with the Controller causes that such agreement cannot be concluded. Submission of personal data is in such case a contractual requirement and if a data subject is willing to conclude a given agreement with the Controller, he/she shall be obliged to provide the required data. The scope of data required to conclude the agreement is specified each time on the website of the Internet Shop or in the Regulations of the Internet Shop; (2) statutory obligations of the Controller: submission of personal data is a statutory requirement resulting from applicable laws imposing on the Controller the obligation to process personal data (e.g. processing of data for the purpose of keeping tax or accounting books) and in the event of their absence the Controller will not be able to fulfil such obligations.

1.5. The Controller shall exercise due care in order to protect interests of data subjects whose data are processed by the Controller, especially the Controller shall be liable and ensures that the data are: (1) processed in accordance with the law; (2) collected for specific legal purposes and are not subject to illegal processing; (3) correct and adequate as regards their content in relation to purposes for which they are processed; (4) stored in the form that enables identification of data subjects, no longer than it is indispensable to reach the purpose of processing and (5) processed in the manner ensuring relevant safety of personal data, including protection against unauthorised or illegal processing and accidental loss, destruction or damage, with the use of suitable technical or organizational measures.

1.6. Taking into account the nature, scope, context and purposes of processing as well as the risk of infringing rights or freedom of natural persons of various probability and importance of threat, the Controller implements relevant technical and organizational measures so that the data were processed in accordance with this regulation and he/she was able to demonstrate it. Such measures are reviewed and updated, if necessary. The Controller applies technical measures that prevent personal data sent electronically from being gained and modified by unauthorised entities.

1.7. Any words, expressions and acronyms used in this privacy policy and starting with a capital letter (e.g. the Seller, the Internet Shop, Electronic Service) shall be interpreted in accordance with their meaning included in the Regulations of the Internet Shop available on its website.

2.BASES OF DATA PROCESSING

2.1. The Controller shall be authorised to process personal data in cases and in the scope in which at least one of the following conditions is met: (1) a data subject has given its consent to the processing of its personal data for one or a greater number of specific purposes; (2) processing is necessary to execute the agreement to which the data subject is a party or to take actions at the request of the data subject before the conclusion of the agreement; (3) processing is necessary to meet a legal obligation imposed by the Controller; or (4) processing is required for purposes resulting from legally justified interests realized by the Controller or a third party, subject to situations in which interests or fundamental rights and freedom of a data subject requiring personal data protection are superior to such interests, especially when the data subject is a minor.

2.2. Personal data processing by the Controller requires each time the existence of at least one of bases specified in clause 2.1 above. Concrete basics of processing of personal data by the Controller of Service Recipients and Clients of the Internet Shop are specified in the clause below – in relation to a given purpose of data processing by the Controller.

3.1. Each time the purpose, base, period and scope as well as recipients of personal data processed by the Controller result from actions taken by a given Service Recipient or Client in the Internet Shop. For instance, if the Client decides to make purchase in the Internet Shop and chooses personal collection of the Product instead of a courier mail, its personal data shall be processed for the purpose of executing the Sales Contract but will not be made available to the carrier responsible for the delivery upon the order of the Controller.

3.2. The Controller can process personal data in the Internet Shop for the following purposes, on the following bases, in the following periods and in the following scope:

Purpose of data processing

Legal basis of processing and period of storing data

Scope of processed data

Performance of the agreement for the provision of Electronic Service or taking actions at the request of a data subject before the conclusion of the agreement

Art. 6 par. 1 letter b) of GDPR (performance of the agreement)

Data are stored for a period that is necessary for the performance, termination or other expiry of the agreement.

Maximum scope: name and surname, name of the company, address of electronic mail; telephone number, place of delivery (street, house number, room number, postal code, city, country), address of residence/address of business activity/address of the registered office (if different than the delivery address), Taxpayer Identification Number (NIP).

It is a maximum scope – in case of personal collection there is no need to provide the address of delivery.

Data are stored for a period of the existence of legally justified interest of the Controller, however, no longer than for a period of limitation for claims in relation to the data subject on account of business activity conducted by the Controller. The limitation period is specified by the provisions of the law, especially of the Civil Code (basic limitation period for claims connected with business activity amounts to three years, whereas two years for a sales contract).

The Controller cannot process the data for the purpose of direct marketing in the event of an effective objection in this scope expressed by the data subject.

Address of electronic mail

Marketing

Art. 6 par. 1 letter a) of GDPR (consent)

Data are stored until the moment the consent to further processing of data for this purpose has been withdrawn by the data subject.

Data are stored for a period required by the law that imposes an obligation on the Controller to store accounting books (5 years counting from the beginning of the year following the financial year to which data refer).

Name and surname; address of residence/address of business activity/address of the registered office (if different than the delivery address name of the company and taxpayer identification number (NIP) of the Service Recipient or the Client

Establishing, pursuing or protecting against claims to be laid by the Controller or that can be laid towards the Controller

Art. 6 par. 1 letter f) of GDPR

Data are stored for a period of the existence of legally justified interest of the Controller, however, no longer than for a period of limitation for claims in relation to the data subject on account of business activity conducted by the Controller. The limitation period is specified by the provisions of the law, especially of the Civil Code (basic limitation period for claims connected with business activity amounts to three years, whereas two years for a sales contract.

Name and surname; name of the company, telephone number; address of electronic mail; delivery address (street, house number, room number, postal code, city, country), address of residence/address of business activity/address of the registered office (if different than the delivery address)

In case of Service Recipients or Clients not being consumers the Controller can additionally process the name of the company and a taxpayer identification number (NIP).

4. RECIPIENTS OF DATA IN THE INTERNET SHOP

4.1. In order for the Internet Shop to operate properly, including the conclusion of Sales Contracts, it is indispensable for the Controller to use services of external entities (such as e.g. supplier of software, courier or payment service provider). The Controller uses only services of processing entities that provide sufficient guarantees of implementing relevant technical and organizational measures so that the processing of data meet the requirements provided for in RODO Regulation and protect rights of data subjects.

4.2. Data are not provided by the Controller in each case and not to all recipients or a category of recipients indicated in the privacy policy – the Controller submits the data exclusively when it is necessary to accomplish a given goal of processing personal data and only in the scope indispensable for its accomplishment. For instance, if the Client chooses personal collection of the Product, its personal data will not be made available to the carrier cooperating with the Controller.

4.3. Personal data of Service Recipients and Clients of the Internet Shop can be provided to the following recipients or categories of recipients:

carriers / shipper / courier brokers – if the Client chooses mail or courier shipment in the Internet Shop, the Controller provides personal data of the Client to a selected carrier, shipper or agent delivering Products upon the order of the Controller in the scope that is necessary to execute delivery of the Product to the Client.

Entities offering electronic payment services or payments by card – if the Client decides to pay in the Internet Shop with the use of electronic payment or payment by card, the Controller provides personal data of the Client to a selected entity offering the aforementioned services in the Internet Shop upon the order of the Controller in the scope that is necessary to execute payment of the Client.

Suppliers of services providing the Controller with technical, IT and organizational solutions that enable the Controller to conduct business activity, including the Internet Shop and Electronic Service rendered via its agency (in particular suppliers of computer software to conduct the Internet Shop, electronic mail and hosting providers and providers of software to manage business and provide technical assistance to the Controller) – the Controller makes available gathered personal data of the Client to selected supplier acting at his/her order only in case and in the scope required to accomplish a given goal of data processing in accordance with this privacy policy.

Suppliers of accounting, legal and consulting services providing the Controller with accounting, legal and consulting support (especially an accounting office, law office or a debt collection entity) – the Controller makes available gathered personal data of the Client to a selected supplier acting at his/her order only in case and in the scope required to accomplish a given goal of data processing in accordance with this privacy policy.

5. PROFILING IN THE INTERNET SHOP

5.1. GDPR imposes an obligation on the Controller to inform about the automated decision making process, including profiling referred to in art. 22 par. 1 and 4 of GDPR, and – at least in these cases – material information related to the principles of making them, and about the meaning and anticipated consequences of such processing for the data subject. In view of the foregoing the Controller provides in this clause of the privacy policy information concerning possible profiling.

5.2.The Controller can use profiling in the Internet Shop for the purpose of direct marketing but decisions made on its basis by the Controller do not refer to the conclusion or refusal to conclude the Sales Contract, or a possibility of using Electronic Services in the Internet Shop. The use of profiling in the Internet Shop may result, for instance, in awarding a discount to a given person, sending them a discount code, notification on unfinished purchase, sending a proposal of a Product that may corresponds to interests or preferences of a given person, or proposing more beneficial conditions in comparison to a standard offer of the Internet Shop. Anyway, a given person makes own decisions whether to use such discount or better conditions and to make purchase in the Internet Shop.

5.3. Profiling in the Internet Shop consists in an automatic analysis or forecast of behaviours of a given person on the website of the Internet Shop, e.g. by adding a concrete Product to the basket, viewing the website of a concrete Product in the Internet Shop or by analysing the existing purchase history in the Internet Shop. Such profiling is possible provided that the Controller holds personal data of a given person in order to be able to provide such person e.g. with a discount code.

5.4. The data subject has the right not to be subject to the decision that is based exclusively on the automated processing, including profiling, and results in legal consequences for such data subject or has a similar impact on it.

6. RIGHTS OF DATA SUBJECT

6.1. The right to access, rectify, limit, delete or transfer – a given data subject has the right to request the Controller to access his/her data, to rectify them, to delete them („the right of being forgotten”) or to limit the processing as well as has the right to object to the processing, and the right to transfer his/her data. Detailed terms and conditions of exercising the aforementioned rights are included in art. 15-21 of GDPR.

6.2. The right to withdraw the consent at any time – the data subject whose data are processed by the Controller on the basis of the consent given (pursuant to art. 6 par. 1 letter a) or art. 9 par. 2 letter a) of GDPR) has the right to withdraw the consent at any time without any impact on the compliance with the right to process made on the basis of such consent before it was withdrawn.

6.3. The right to lodge a complaint to a supervisory authority – the data subject whose data are processed by the Controller has the right to lodge a complaint to a supervisory authority in the manner and in accordance with the provisions of GDPR and the Polish law, especially the Personal Data Protection Act. The President of Personal Data Protection Office is the supervisory authority in Poland.

6.4. The right to object – the data subject has the right to object at any time – for reasons related to its special situation – to the processing of data based on art. 6 par. 1 letter e) (interest or public tasks) or f) (legally justified interest of the Controller), including profiling based on these regulations. In such event the Controller must not process such personal data unless it manifests legally justified bases for such processing, superior to the interests, rights and freedom of the data subject or bases for establishing, pursuing or protecting claims.

6.5. The right to object related to direct marketing – if personal data are processed for the purpose of direct marketing, the data subject has the right at any time to object to such processing of its personal data for the purpose of such marketing, including profiling, in the scope in which the processing is connected with such direct marketing.

6.6. In order to exercise rights referred to in this clause of the privacy policy, the Controller can be contacted by way of sending a relevant message in writing or via e-mail to the address of the Controller indicated in the introduction to the privacy policy or with the use of a contact form available on the website of the Internet Shop.

7.COOKIES IN THE INTERNET SHOP, OPERATIONAL DATA AND ANALYTICS

7.1. Cookies include small text information in the form of text files, sent via server and saved on a hard disc, laptop or a memory card of a smartphone of an individual vising the website of the Internet Shop – depending on the type of device used by the visitor of our Internet Shop). Detailed information about Cookies and their history can be found here: http://pl.wikipedia.org/wiki/Ciasteczko.

7.2. The Controller can process the data included in Cookies while users visit the website of the Internet Shop for the following purposes:

Identification of Service Recipients as logged in the Internet Shop and showing that they are logged;

Saving Products added to the basket for the purpose of placing the Order;

Saving data provided in Order Forms, surveys or logging data in the Internet Shop;

Adjustment of the content of the website of the Internet Shop to individual preferences of the Service Recipient (e.g. related to colours, font size, layout) and optimization of use of the website of the Internet Shop;

Making anonymous statistics showing how the website of the Internet Shop is used;

remarketing, i.e. examination of behaviours of people vising the Internet Shop by way of an anonymous analysis of such behaviours (e.g. repeating visits on specific sites, key words etc.) for the purpose of creating their profile and providing them with advertisements adjusted to their anticipated interests, also when they visit other websites in Google Inc. and Facebook Ireland Ltd. Advertisement networks;

7.3. Usually the majority of Internet browsers available in the market accepts saving of Cookies by design. Everyone can define terms and conditions of using Cookies with the use of settings of own Internet browser. It means that it is possible to temporarily limit or completely disable saving of Cookies – however, if Cookies are disabled it may have an influence on some functionalities of the Internet Shop (for instance, it may become impossible to go through the process of placing the Order with the use of the Order Form since Products in the basket will not be saved at the successive steps of the Order).

7.4. Settings of the Internet browser related to Cookies are essential from the point of view of consent to use Cookies by our Internet Shop – according to the regulations such consent can also be expressed by way of proper settings of the browser. In the absence of such consent settings concerning Cookies should be changed accordingly.

7.5. Detailed information related to the change of settings concerning Cookies and their independent removal in the most popular Internet browsers is available in the ‘Help’ section of the browser and on the following sites (click the link):

7.6. The Controller can use Google Analytics, Universal Analytics provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) in the Internet Shop. These services help the Controller analyse movement in the Internet Shop. Gathered data are processed as part of the aforementioned services in an anonymised manner (they are the so-called operational data that enable identification of a given person) to generate statistics supporting the administration of the Internet Shop. The data are of collective and anonymous nature, i.e. they do not contain identification features (personal data) of people visiting the Internet Shop. Using the aforementioned services in the Internet Shop the Controller gathers such data as sources and medium of gaining visitors of the Internet Shop as well as their behaviours in such Internet Shop, information related to devices and browsers used to visit our website, IP and domain, geographical data and demographic data (age, sex) and interests.

7.7. The information on the activity in the Internet Shop can be easily blocked for Google Analytics – to this effect a useful addition to the browser can be installed provided by Google Inc. available here: https://tools.google.com/dlpage/gaoptout?hl=pl.

8. FINAL PROVISIONS

8.1. The Internet Shop can contain references to other websites. After going to such other websites, the Controller recommends to read the privacy policy provided therein. This privacy policy applies only to the Internet Shop of the Controller.